Nuclear facilities in the UK are some of the most secure in the world against cyber attacks, experts have claimed. The defence comes in response to a report that the global nuclear industry is vulnerable to terrorists and hackers.
The study — from think tank Chatham House — found a “culture of denial” within the industry that puts stations “at risk” from cyber breaches. But Caroline Boylan, the lead author of the study, admitted it would be extremely difficult to hack a nuclear reactor.
“We tried really hard to make sure that the risk didn’t sound overblown in the report,” Caroline Boylan, author of the study, told WIRED. “It’s not an immediate threat right now […] We just need to be aware of what the risks are so we can better protect ourselves.”
Despite Boylan’s words of caution, the report’s warnings have been translated into alarmist headlines in the UK press. The Express warned that UK power stations were “‘at risk’ from DEADLY nuclear ATTACK,” while the BBC and Financial Times both spoke of a growing threat.
Boylan added that the report wasn’t intended to overstate the threat of attacks, which would take “an extremely high level of sophistication” to carry out.
Such attacks could only be carried out by other nation states, she added. “Essentially it’s state actors that have the capability to do some kind of serious attack,” Boylan said. “But it’s in no state’s interest to do that.”
The main threat to nuclear facilities comes from the closing of so-called “air gaps”, as external connections have been added to sites. But the study from Chatham House found that facilities have not invested sufficient time and money in cybersecurity defences and staff awareness in recent years as they’ve broken the air gap.
The research took 18 months to complete and draws on interviews with 30 industry specialists from countries including the UK, US, France, Japan, Ukraine and Russia. Those interviewed included site staff, academics, government officials and international organisations. It found that sites across the world are vulnerable to attack.
The threat to nuclear facilities could become real if an international terrorist group teams up with a renowned hacker — but we’re a few years away from that being a likely possibility, said Boylan. The UK’s nuclear industry has already made significant moves to protect itself against this risk, she explained.
“This threat has already been considered in many of the stations in the UK,” Ian Bonnett, director of Davies Nuclear Associates — an energy consultancy firm — told WIRED. “I don’t see this as a serious threat for the UK nuclear industry.” Bonnett recently co-chaired a UK conference that brought together nuclear management and cybersecurity experts.
The combination of a “very good” Office of Nuclear Regulation, “continuous self questioning,” and a “goal-setting approach to regulation,” makes the UK nuclear industry a global leader in terms of cybersecurity defence, Bonnett explained.
The facilities themselves have hard-wired, independent control systems that are incredibly hard to crack, according to Bonnett. Such systems have been in development since the government’s Strategic Defence and Security Review highlighted emerging threats to nuclear facilities in 2010.
“There are easier industries to go after than the nuclear industry,” said Bonnett. “There are a lot more attacks on the finance sector and retail sector than the more industrial sectors.”
“Does having the Chinese in the UK really change the profile of the threat? Probably not, no,” said Bonnett. If anything, “having a closer working relationship with the Chinese is probably one way to help understand a little bit more about them and work closer with them.”
In response to the Chatham House study, the Department of Energy and Climate Change (DECC) said it takes cyber threats seriously and works hard to protect the UK’s nuclear facilities.
“We take the security of the UK’s nuclear sites extremely seriously, which is why the government has a National Cyber Security Programme in place to keep our national infrastructure sites secure,” a spokesperson from the DECC told WIRED. “The UK’s independent regulator also has strict regulations in place that protect our nuclear sites.”
That regulator, the Office of Nuclear Regulation, oversees the safety and security of the UK’s 37 licensed nuclear sites, and approves their security plans.
“Cyber risks are always developing and no one can afford to be complacent,” a spokesperson for the regulator explained. “In addition to our robust inspection regime, the Office of Nuclear Regulation is constantly reinforcing the importance of cyber security to senior figures across the UK nuclear industry.”
“We agree with the Chatham House report that significant attention must be paid to these issues now and in future,” the spokesperson added.